HOCO CISO program breaking ground with "virtual" CISOs

It may not be a revelation that security isn't a top priority for many organizations, but what about those companies that want to have a full-time CISO and simply cannot afford it? Enter the CISO "in residence" program in Howard County, Maryland.

The program, known as HOCO CISO, is currently providing "virtual" CISOs that offer security guidance to member companies of the Howard Tech Council (HTC) that do not have their own CSO or CPO. All organizations have to do is submit a request for counsel from the program, and one of the virtual CISOs on call will contact them to discuss a strategic security approach.

According to Jason Taule, CSO/CPO of Fei systems and one of the creators of HOCO CISO, the program came into existence as a result of increasing awareness. But with that said, the place and timing had something to do with it, too.

"The world has woken up," said Taule. "People have been saying 'something changed' in the wake of Target, but that's not true. This has been going on forever. People just finally woke up." And Howard County is a perfect place to launch a program like HOCO CISO, given that it's "cyber central," as he called it.

The program, which underwent a soft launch just prior to this year's RSA Conference, is made possible entirely through volunteer work. The Howard Tech Council has an affinity group known as HACKIT (Howard County Affinity for Cyber Knowledge and Intelligence Technologies/Talks), and the leaders of the group serve as the virtual CISOs that provide consultations.

"Every one of our virtual CISOs works on a volunteer basis," said Taule. "The intent here is to provide this guidance at essentially no cost. It's all part of our mission to give back."

Patrick Wynn, executive director of the HTC, also stressed the importance of the program representing an intersection of the public and private sectors. "We've really shaken up how economic development authorities are engaging in the community," he said. "We're leveraging assets within the county that can be of great value within the business community."

The group of volunteers that make up the program's virtual CISO corps features no shortage of talent. With members from organizations such as AT&T, The Allegis Group, and even a former employee from the Department of the Interior, those who contact the HOCO CISO program know they're receiving legitimate counsel.

The program is currently operating on a 6 month roadmap, which has thus far produced features such a website, office hours, and a web document that can be filled out and sent to a CISO with questions. But just because the HOCO CISO program is on a short-term roadmap now doesn't mean its creators don't have their eyes set on the future. Wynn stated that new features would continue to be introduced, though he declined to say what specifically.

"We are going to be offering even more down the road -- all volunteer leadership -- incrementally," he said. And given that the services and the program are entirely demand driven, it doesn't appear that HOCO CISO will be slowing down any time soon.

"We'll stop delivering services when companies stop having these problems," said Taule, who added that as the program gained more volunteer CISOs to provide counsel, they could start getting rotated in and out to bring new members into the fold.

In terms of the type of consultations that organizations will receive from the virtual CISOs, the advice is intended to help stroke that perfect balance between strong protection and optimizing security spending. The advice is the key here, not specific security services; if a company is looking to have some pen testing done, for example, the virtual CISO's role would be to put them in touch with the companies that provide that type of service.

"We're offering a service where we say, 'Whether you can afford it or not, we're going to point you to them," said Wynn.

"A lot people are talking about how some of the old school defense products are no longer able to withstand a challenge," said Taule. "So what do we do now? Is the timing right [to invest in new services]? Is this necessary? Those are the types of questions that we're going to be helping out with."

The services provided by the HOCO CISO program are especially ideal for smaller companies that have to thoroughly consider every expense, down to the penny.

"We can help them save money they're not yet wasting," said Taule. And therein lies the appeal of the program.

"We look at all of these young entrepreneurs who are focusing on building partnerships and gathering clients, etc.," said Wynn, "but what they're not doing is putting processes in to protect the crown jewels. We're not just being a response mechanism, but a platform for education to help folks understand these issues."

But the appeal extends across all companies, small and large, with or without CISOs, simply because of the opportunity to optimize.

"We were helping those who didn't have a CSO in place," said Taule. "But regardless of what a person's title is, their biggest challenge is convincing boards that they need to maximize and conserve precious funds. So even companies with CSOs would still rather use this program to save money."

Additionally, the program and its virtual CISOs serve as a second opinion, and an objective one, at that. "It's validation," said Taule. "How do I get the best bang for my buck? I've convinced my board to give me money for security, how can I best spend it."

Thanks to the universal appeal to businesses of all sizes and with various needs, Taule says that there's been no shortage of organizations seeking out the program's virtual CISOs.

"In terms of consumption of the service, demand has been surprisingly high," said Taule. "A lot of it is, 'Tell me what you can help me with.'" But there are others, he added that want to talk but are concerned about the legal protections around the program. The Tech Council does have legal documents to protect the virtual CISOs so their liabilities are managed, but people still have questions about how confidentiality is managed. "Some people don't want to put things in email and the like, so we're also getting people who are also asking to speak in person."

In terms of future plans, there isn't anything official for an expansion or continuation of the HOCO CISO program, but Taule and Wynn aren't ruling it out, either. At the very least, they're hoping that the program will serve as an example for others to follow.

"I would love for the HOCO CISO initiative to be the exemplar for others in the region," said Wynn. "And that means either embracing this kind of initiative and bringing us in to get it up and running or figuring it out themselves. We want the tide to rise for all and I absolutely see this to moving other municipalities and jurisdictions."

Taule was similarly optimistic, though was clear to emphasize that there was no current plan for commercialization.

"Sure, we've talked about that possibility, but there's no plan now," said Taule. "But we certainly recognize that that opportunity exists and we would be foolish not to pursue it." Both he and Wynn, however, were clear in stating that they have no plans to do anything other than support the initiatives that they have going on within the Howard County Tech Council.

Expansion -- commercialized or not -- of a program like HOCO CISO would serve to benefit everybody, but only if people are willing to collaborate, said Taule.

"We've long since recognized that the bad actors cooperate with each other," he said. "On the good guys' side, we tend to err on the side of caution and don't always collaborate when we should. [We should] strengthen the good guys' side for once."

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.